RPC Internet Ports in Windows 2008

Recently, I was involved in a strange issue relating to the behavior of RPC Internet ports on a number of Windows 2008 R2 Domain Controllers.

RPC Internet Ports

On servers where this registry key was configured, some of the lower ports in the old dynamic range (1025-5000) were open and answering requests.

Conversely, I found that where the RPC Internet key was NOT applied, those ports remained closed.

It should also be noted, that in all cases where the RPC Internet key was set, none of the low ports were listed in the range specified in the registry, it was usually something like 5000-5050 – BUT “UseInternetPorts” was incorrectly configured to “N”.

Regardless of the fact that the UseInternetPorts value probably should be set to “Y”, I ran a Wireshark capture on a system configured in the same way as the affected configuration above (no DCTcpipPort configured, but RPC Internet ports configured with UseInternetPorts set to “N”) and found that Netlogon requests were heading to Port 1030. When I removed the RPC Internet keys (or simply changed UseInternetPorts to “Y”), the ports closed up and Netlogon moved elsewhere in the high dynamic range.

The image below shows a netstat from a 2008 DC running with the RPC Internet Key configured with values as above – note the extra ports open between 1025 and 1032 (nothing in the high dynamic range):

The screenshot below shows the same system with the RPC Internet Key removed – DCTcipPort in both instances was not set, notice how the ports are sitting at the default dynamic range (49152-65535):

Thankfully, when DCTcpipPort is configured with the RPC Internet Port Range set, the low ports still show but RPC Netlogon moves to where it would be expected – wherever you have set DCTcpip Port.

Setting the “UseInternetPorts” setting in this way causes the system to ignore the range set within this key – the system then defaults back to a dynamic range.

2. Let’s accept that these ports are supposed to be there – If the default range for dynamic ports has changed in 2008 to 49152-65535, then why is it that when I enable an RPC Internet port range, things start firing up on port 1025, 1026, 1027, 1028, 1029, 1030, etc..? Shouldn’t they fire up on port 49152 and beyond?

It seems more than likely that setting the RPC Internet port range in this way causes a Windows 2008 box to forget about the new dynamic range and move things that were previously sitting on 49152-65535 back down to the old 1024-5000 range upon reboot.

I guess this suggests that we should always set “UseInternetPorts” to “Y” if we want the specified range to actually work.